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MODULAR EXPONENTIATION CALCULATION APPARATUS AND 
MODULAR EXPONENTIATION CALCULATION METHOD 

CROSS-REFERENCE TO RELATED APPLICATIONS 
This application is based upon and claims the 
benefit of priority from the prior Japanese Patent 
Application No. 2001-013565, filed January 22, 2001, 
the entire contents of which are incorporated herein by 
reference . 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to a modular 
exponentiation calculation apparatus and modular 
exponentiation calculation method for obtaining 
m = C d mod (p * q) with respect to object data C and 
independent parameters p, q, d. 

2. Description of the Related Art 

There has been proposed an algorithm and a 
hardware for uniting and realizing modular 
multiplication as a basic element for realizing 
algorithm (modular exponentiation calculation) of a 
public key cryptography with Montgomery multiplication 
based on a residue number system (RNS) representation 
which enables a parallel processing of integer 
operation (addition/subtraction/multiplication) . This 
will be referred to as RNS Montgomery multiplication. 

The residue number system representation (RNS 



representation) will be described. For many types of 
public key cryptography such as an RSA cryptography, a 
multiple-precision integer is utilized to perform 
conversion, and a radix representation in which a radix 
is 2, so-called binary representation, is usually 
utilized in the representation of the multiple- 
precision integer. For another representation, a 
method of preparing a plurality of moduli a^_, a.2, 
a n , and representing an integer x by a set of remainder 
values xi, X2, x n by these moduli as in the 
following eguations is utilized. 

xi = x mod aj_ 

X2 = x mod a2 

x n = x mod a n 

This representation method is called an RNS 
representation . 

A group of moduli for use in the RNS 
representation will hereinafter be referred to as a 
base. Moreover, an element number n of the base will 
be referred to as a base size. The base "a" having a 
base size of n is represented as follows. 

a = {ax, a 2 , ~, a n } 

In the RNS representation, positive integers prime 
to one another are usually used, and Chinese remainder 
theorem guarantees that the positive integer less than 
a product of elements of the base can uniformly be 



represented by the RNS representation. That is, when 
the base is a = {a lf a 2 , a n }, and the product of 
elements of the base "a" is A = a^ * a 2 x - * a n , the 
positive integer less than A can be represented by the 
RNS representation using the base "a". 

In the following, n integers x subjected to the 
RNS representation using the base "a" are represented 
by <x> a (sometimes represented by <x> in which the base 
is omitted) . That is, the following results. 
<x> a = (x al , x a2 , x an ) 

= (x mod a]_, x mod a 2 , x mod a n ) 
Additionally, when two types of bases are used in 
the following operation, with respect to bases a = {a^, 
a 2' -r a nl> and b = {bi, b 2 , b n2 } , aUb denotes a 
combination of {a lf a 2 , a nl } and {b lr b 2 , b n2 } , 
and <x> a u b denotes the RNS representation of x by the 
base aUb (i.e., <x> a ut) denotes a combination of <x> a = 
(x mod ai, x mod a 2 , x mod a nl ) and <x> b = (x mod 
bi, x mod b 2 , x mod b n2 ) . Moreover, in the 
following description, for the sake of convenience two 
types of bases will be described as nl = n2 = n. 
Additionally, nl, n2 do not have to be equal to n. 

The RNS representation is advantageous in that 
addition, subtraction, and multiplication can easily be 
carried out using the product "A" of all the elements 
of the base. That is, desired results are obtained as 
results of independent addition, subtraction, and 



multiplication of the respective elements by the 
respective moduli as follows. 

<x> a + <y> a - (x al + y al , x a2 + y a2 , x an + y an ) 

<x> a - <y> a = (x al - y al , x a2 - y a2 , x an - y an ) 

<x> a x < y>a = ( Xal x y al/ Xa2 x Ya2f f x yan) 

Additionally, the above operations will be 
referred to as RNS addition, RNS subtraction, and RNS 
multiplication, respectively. A left side is mod A, 
and respective terms of a right side are mod a^, mod 
a 2 , mod a n . 

Therefore, n operations can be processed in 
parallel. When n operation units are prepared, all the 
operations are processed in parallel, and a fast 
processing is realized. Even when the number of 
prepared operation units is less than n, an operation 
speed can be enhanced in proportional to the number of 
units of 1 to n. 

RNS Montgomery multiplication and RNS Montgomery 
exponentiation will next be described. 

The RNS Montgomery multiplication is a method of 
applying a method called Montgomery multiplication to 
the operation in the RNS representation with respect to 
multiplication <x> a y b x <y> a y b with a remainder in 
mudulus N, and is generally carried out in the 
following procedure. 

The RNS Montgomery multiplication is represented 
by MM«x> aUb , <y> a y b , N, aUb). 



Here, inputs are <x> a Ub<- <y> a Ub' N - 
Additionally, x and y are both less than 2N. 

Bases are a, b. Additionally, x, y, N are all 
less than A, and less than B. 

An output is <w> a Ub- Additionally, w = (x x y x 
B _1 mod N) + N. Moreover, there is not +N in some 
case . 

<Processing Content> 



step 


-M- 


0: 


<-N - 


1 >b is calculated. 


step 


-M- 


1: 


<s> a 


= <x> a x <y> a is calculated. 


step 


-M- 


2: 


<s> b 


= <x>}- ) x <y>k is calculated. 


step- 


-M- 


3: 


<t>b 


= <s> b x <_ N -l> b -L S calculated 


step- 


-M- 


4: 


<t>b 


is base-converted to <t> a . 


step- 


-M- 


5: 


<u> a 


= <t> a x <N> a is calculated. 


step- 


-M- 


6: 


<v> a 


= <s> a + <u> a is calculated. 


step- 


-M- 


7 : 


<w> a 


= < v > a x <B _1 > a is calculated. 


step- 


-M- 


8: 


<w> a 


is base-converted to <w>] 0 . 



Additionally, in the above procedure, the base 
conversion of the step-M-4 or step-M-8 is a processing 
for obtaining the RNS representation by another base 
(e.g., RNS representation <t> a by a base "a") of a 
certain integer corresponding to the RNS representation 
by a certain base (e.g., integer t corresponding to RNS 
representation <t>] 0 by the base "b") . 

An RNS Montgomery multiplier can also realize a 
fast processing by increasing the operation unit for 
performing the processing in parallel. 



Moreover, there has been proposed a method of 
repeatedly performing the RNS Montgomery multiplication 
(repeatedly utilizing the RNS Montgomery multiplier) to 
perform an exponentiation calculation; and constituting 
a cryptography processing of an RSA cryptography. This 
exponentiation calculation method will be referred to 
as the RNS Montgomery exponentiation. The RNS 
Montgomery exponentiation is generally carried out in 
the following procedure. 

The RNS Montgomery exponentiation is represented 
by MEXP(<x> a Ub, d ' N ' aUb). 

Here, an input is <x> a |j] D , exponent (binary 
representation) is d = (d k , d k _ lf d]_) , and modulus 
is N. Additionally x < 2N. 

Bases are a, b. Additionally, x, N are both less 
than A, and less than B. 

An output is <y> a Ub- Additionally, y = x d x 
B-(d-l) mod N> 

<Processing Content> 

step-E-1: i = k is set. <y> a Ub = <B> aUb is set - 

step-E-2: <y> aUb = MM(<y> aUb , <y> aU b' N, aUb) 
is calculated. 

step-E-3: If d ± = 1, <y> aU b = MM (<y> aU b^ 
<x> aUb' N ' aUb) is calculated. If dj_ * 1, nothing is 
carried out (nop) . 

step-E-4: i = i - 1 is set. 

step-E-5: If i = 0, the procedure ends. If i # 0, 



the procedure returns to step-E-2. 

Additionally, in the above procedure, MM ( ) in the 
step-E-2 and step-E-3 denotes the aforementioned RNS 
Montgomery multiplication. 

A CRT modular exponentiation calculation will next 
be described. 

For the RSA cryptography, with respect to a public 
key (N, e) , and secret key (d, p, q) , a plaintext m is 
enciphered into a ciphertext C with C = m e mod N, and 
the ciphertext C is deciphered into the plaintext m 
with m = C d mod N. Here, an exponentiation calculation 
method which utilizes secret prime factors p, q of a 
modulus N as the public key to efficiently execute 
decipherment, that is, which utilizes a Chinese 
remainder theorem (CRT) is known. This exponentiation 
calculation method will be referred to as the CRT 
modular exponentiation calculation. 

<CRT Modular Exponentiation Calculation Procedure> 
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= C mod q 
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m p 


= C p d P mod 
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m q 


= Cq dc 5 mod 
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step- 


c- 


4 : 


m = 


m p x (q-1 


mod 



(p 1 mod q) x p (mod N) 

Additionally, in the above procedure, since 



parameters d p , d q/ (q 1 mod p) , (p 1 mod q) depend only 
on the secret key, the parameters are generally 
calculated beforehand and stored as a part of the 
secret key. 

Noting that a dominant portion of a calculation 
amount of the CRT modular exponentiation calculation 
corresponds to two modular exponentiation calculations 
of the step-C-3, and the modular exponentiation 
calculation is proportional to a cube of a size of the 
modulus, it is seen that the calculation amount of the 
modular exponentiation calculation in the binary 
representation and CRT modular exponentiation 
calculation is about 1/4 (= 2/8). Additionally, when 
the modular exponentiation calculation of the step-C-3 
is simultaneously executed in two calculation circuits, 
a calculation time can be expected to be reduced to 
about 1/8. 

However, a concrete method for realizing the CRT 
modular exponentiation calculation of the step-C-1 to 
step-C-4 by the RNS Montgomery multiplication has not 
been realized, and it has been difficult to raise a 
speed of the modular exponentiation calculation of a 
large integer such as RSA decipherment (secret 
conversion) . 

BRIEF SUMMARY OF THE INVENTION 
According to the present invention, there is 
provided a modular exponentiation calculation apparatus 



or modular exponentiation calculation method in which a 
modular exponentiation calculation is efficiently 
executed. 

According to an embodiment of the present 
invention, a modular exponentiation calculation 
apparatus which utilizes a residue number system 
representation by a first base and a second base 
including sets of a plurality of integers with respect 
to object data C and parameters p, q, d (all integers 
included in both the bases are mutually primary, a 
product "A" of all the integers of the first base is 
A > p, A > q, a product "B" of all the integers of the 
second base is B > p, B > q, and A x B > C) to obtain a 
calculation result m = C d mod (p * q) , the apparatus 
comprising: 

a first processing unit configured to obtain a 
residue number system representation of a value 
C pdp x B mod p or a value with p added thereto based on 
a residue number system representation of a remainder 
value Cp = C mod p by p of the data C and a remainder 
value dp = d mod (p - 1) by (p - 1) of the parameter d; 

a second processing unit configured to obtain a 
residue number system representation of a value 
Cq dq x B mod q or a value with q added thereto based on 
a residue number system representation of a remainder 
value Cq = C mod q by q of the data C and a remainder 
value dq = d mod (p - 1) by <q - 1) of the parameter d; 



a third processing unit configured to obtain a 
residue number system representation of an integer m' 
congruent with C*^ mod (p * q) based on both the residue 
number system representations obtained by the first and 
second processing units; and 

a fourth processing unit configured to obtain the 
calculation result m based on a value of the integer m f 
obtained by converting the residue number system 
representation obtained by the third processing unit 
into a binary representation. 
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING 

FIG. 1 is a diagram showing a functional 
constitution example of a modular exponentiation 
calculation apparatus according to a first embodiment 
of the present invention; 

FIG. 2 is a flowchart showing one example of a 
processing procedure of the calculation apparatus of 
FIG. 1; 

FIG. 3 is a diagram showing an internal constitu- 
tion example relating to each operation unit of the 
calculation apparatus of FIG. 1; 

FIG. 4 is a part of the flowchart showing another 
example of the processing procedure of the calculation 
apparatus according to the embodiment in FIG. 2; 

FIG. 5 is a diagram showing an internal constitu- 
tion example relating to each operation unit of the 
modular exponentiation calculation apparatus according 
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to another embodiment; 

FIG. 6 is a diagram showing a functional 
constitution example of the modular exponentiation 
calculation apparatus according to still another 
5 embodiment ; 

FIG. 7 is a diagram showing an internal 
constitution example relating to each operation unit of 
the modular exponentiation calculation apparatus 
according to still further embodiment; and 
10 FIG. 8 is an explanatory view of an enciphering 

system using the above embodiments. 

DETAILED DESCRIPTION OF THE INVENTION 
An embodiment of a modular exponentiation 
calculation apparatus or method according to the 
15 present invention will now be described with reference 

to the accompanying drawings. 
First Embodiment 

FIG. 1 shows a functional constitution diagram of 
a calculation apparatus according to one embodiment of 
20 the present invention. 

A calculation apparatus 1 of the present 
embodiment comprises an RNS operator 12 for calculating 
an RNS represented integer; an operator 14 for 
performing an auxiliary operation in a binary 
25 representation; an input/output unit 11 for performing 

input/output with the external device; and a controller 
13 for controlling the entire constitution. 
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The RNS operator 12 includes an RNS inverse 
element calculator 122; RNS Montgomery multiplier 123; 
RNS Montgomery exponentiation calculator 124; RNS 
multiplier 125; RNS adder 126; first representation 
converter (binary representation to RNS representation) 
127; second representation converter (RNS representa- 
tion to binary representation) 128; and storage 121. 

The auxiliary operator 14 in the binary 
representation includes a remainder calculator 141; and 
adder/subtracter 142. 

In the aforementioned operation units, the RNS 
operator 12 occupies a greater part in scale. 

The storage 121 is constituted, for example, of 
ROM and RAM for storing bases utilized in the RNS 
representation, parameters calculated beforehand and 
stored in the apparatus, and the like. 

The RNS Montgomery multiplier 123 performs the 
aforementioned RNS Montgomery multiplication of 
step-M-0 to step-M-8. 

The RNS Montgomery exponentiation calculator 124 
performs the aforementioned Montgomery exponentiation 
of step-E-1 to step-E-5. 

The RNS multiplier 125 performs the aforementioned 
RNS multiplication. 

The RNS adder 12 6 performs the aforementioned RNS 
addition. 

The first representation converter 127 converts a 



binary representation to an RNS representation. 

The second representation converter 128 converts 
the RNS representation to the binary representation. 

Additionally, these are described in detail, for 
example, in Document 1 "Cox-Rower Architecture for Fast 
Parallel Montgomery Multiplication", Kawamura, Koike, 
Sano, and Shimbo, EUROCRYPT 2000, LNCS 18 07, 
pp. 523-538, 2000. 

The RNS inverse element calculator 122 calculates 
<-x _1 > a using <x> a as an input. That is, -Xj_ -1 is 
calculated from xj_ with respect to each base a-j_ and 
element x-j_ of <x> a (mod aj_) . Concretely, the 
calculation is executed in the following procedure. 
<Inverse Element Calculation in Base a-j_> 

step 0: Carmichael function X(aj_) is calculated 
with respect to the base aj_, and stored in the storage 
121. A concrete eguation of Carmichael function X is 
represented as follows. This calculation is described 
in "Contemporary Cryptography", Sangyo Tosyo, p. 16, 
authored by Tatsuaki Okamoto, Hirotsuke Yamamoto . A 
bit size of A-(aj_) is not more than a bit size of a-j_. 

The following is [Fermat small theorem] . 

Assuming that a prime number is p, aP~~l = 
1 (mod p) is established with respect to an arbitrary 
integer aGZ p other than 0. 

Based on this theorem, Euler function \|/(n) with 
respect to an integer n is the number of elements of 
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Z* n . For example^ when p, q have different odd numbers 
of elements, \|/(p) = p-1, y(p e ) = P e_1 (p-1), V(pq) = 
(p-1) (q-1) . 

Carmichael function X{n) with respect to the 
5 integer n is defined as follows. When n = 2 eo p el ]_ 

P er r <P1, Pr have different odd numbers of 

elements) „ 

X(n) = LCM(A.(2 eo ) , \|/(p el i), i|/(p er r )) 
X{2 t ) = 2 t ~ 1 if t<3 
10 = 2t"2 if t ^3 

With respect to all x(<aj_) prime to modulus a±, 
x X(ai) = i (mod a-j_) is obtained. Here, the input x is 
assumed as secret keys p, q (prime numbers) or a 
product N (product of two prime numbers) of an RSA 
15 cryptography. Then, these are necessarily prime to the 

modulus a±. 

step 1: x-L -1 = x± A.( ai ) _1 is calculated by 
modular multiplication in the operation unit (mod aj_) . 
step 2: -x-L -1 = a.± - xj_ -1 is calculated. 

20 In the above calculation, in the step 1, the bit 

size of the Carmichael function A,(a-j_) is not more than 
the bit size of aj_ . Therefore, when the number of 
words of the operation unit is set to 32 bits, the 
number of modular multiplication is 64 or less. 

25 In the remainder calculator 141, a dividend x and 

divisor y of the binary representation are inputted, 
and x mod y is calculated. This calculation procedure 
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can be executed by usual division, and described, for 
example, in "The art of computer programming", Addison 
Wesley Longman, Inc., pp. 342-345 authored by Donald E. 
Knuth. The calculation amount is substantially the 
5 same as that of xl x x2 . 

The adder/subtracter 142 performs binary 
addition/subtraction . 

The calculation apparatus 1 combines the following 
RNS operations and executes CRT exponentiation. 
10 «RNS Montgomery multiplication <z> = MM(<x> a Ub' 

<Y>aUb' P* aUb) 

Here, z = x * y x B _1 mod p, or 

z = (x x y x b -1 mod p) + p. 

•RNS Montgomery exponentiation <z> = MEXP(<x> a |jb' 
15 e, p, aUb) 

Here, z = x e * B _ ( e-1 > mod p, or 
z = (x e x B~(e-1) mod p) + p. 

•RNS multiplication <z> = MUL(<x> a , <y> a , a) 
Here, z = x x y mod A (multiplication of x and y 
20 in the base "a") . 

• RNS addition <z> = ADD(<x> a , <y> a , a) 
Here, z = x + y mod A (addition of x and y in the 
base "a" ) . 

A last argument (a, aUb, and the like) in the RNS 
25 operation denotes the base utilized in the RNS 

representation. Assuming that a value of the product 
of elements of the base "a" is A, and a value of the 



product of elements of the base "b" is B, a value of 
the product of elements of the base aUb is A x B. 
Outputs of the RNS Montgomery multiplication and RNS 
Montgomery exponentiation are z < A and z < B. 

As described above, in the RNS Montgomery 
multiplication and RNS Montgomery exponentiation, only 
a value of modulus p sometimes has a large result from 
a property of the Montgomery multiplication. That is, 
MM(<x>, <y>, p, aUb) < 2p N and MEXP(<x> a Ub' e ' P' 
aUb) < 2p. When the modulus p is fixed, the output of 
the RNS Montgomery multiplication or the RNS Montgomery 
exponentiation is less than 2p, but this output can be 
inputted to the RNS Montgomery multiplication or the 
RNS Montgomery exponentiation as it is. 

The following parameters are stored beforehand in 
the calculation apparatus 1. 

Pre-registered parameters: base "a", base "b", 
product "A" of elements of the base "a", product "B" of 
elements of the base "b", product "A" x "b" of all 
elements of the bases "a" and "b", "B 2 ", "<B -1 > a ". 

Additionally, as a relation of a parameter size in 
the bases "a", "b" and CRT exponentiation, at least 
p < A, q < A, and p < B, q < B are necessary. As a 
result, with respect to N = p x q, at least N < A x B. 

Here, the parameters inputted to the calculation 
apparatus 1 from the outside in order to execute the 
CRT exponentiation are as follows. 



External input parameters: ciphertext C, dp = 
d mod (p-1) , dq = d mod (q-1) , N (= p * q) , p, q, 
inverse element pinv = p _1 mod q in the modulus q of p, 
inverse element qinv = q _1 mod p in the modulus p of q 

FIG. 2 shows one example of a processing procedure 
of the CRT exponentiation in the calculation apparatus 
1. Moreover, FIG. 3 shows an internal constitution 
example relating to each operation unit of the 
calculation apparatus 1. 

Step SO: The external input parameters C, dp, dq, 
N, p, q, pinv, qinv are inputted. 

In the following procedure, in steps Sl-p to S9-p, 
and Sl-q to S9-q, and also in either corresponding step 
Si-p or Si-q, similar operation relating to two prime 
factors p and q of N is executed. 

Step Sl-p: The first representation converter 127 
is utilized to convert the binary representation p to 
the RNS representation <p> by the base aUb ( = <p> a U 
<p>b = {p mod a]_, p mod a2, -, p mod a n } U {p mod b]_, 
p mod b2, p mod b n }) . 

Step Sl-q: The first representation converter 127 
is utilized to convert the binary representation q to 
the RNS representation <q> by the base aUb ( = <q> a U 
<q>b = {q m °d ai, q mod a2, q mod a n } U {q mod b]_, 
q mod b2, q mod b n } ) by the base aUb. 

Step S2-p: The RNS inverse element calculator 122 
is utilized to calculate <-p _1 >b from <p>b obtained by 



the step Sl-p. 

Step: S2-q: The RNS inverse element calculator 
122 is utilized to calculate <-q~ 1 > ]D from <q>b obtained 
by the step Sl-q. 

Step S3-p: The remainder calculator 141 is 
utilized to calculate bp = B 2 mod p, and the first 
representation converter 127 is utilized to convert bp 
to the RNS representation <bp> by the base aUb from 
the binary representation. 

Step S3-q: The remainder calculator 141 is 
utilized to calculate bq = B 2 mod q, and the first 
representation converter 127 is utilized to convert bq 
to the RNS representation <bq> by the base aUb from 
the binary representation. 

Step S4-p: The first representation converter 127 
is utilized to convert pinv to the RNS representation 
<pinv> by the base aUb from the binary representation. 

Step S4-q: The first representation converter 127 
is utilized to convert qinv to the RNS representation 
<qinv> by the base aUb from the binary representation. 

Step S5-p: The remainder calculator 141 is 
utilized to calculate Cp = C mod p, and the first 
representation converter 127 is utilized to convert Cp 
to the RNS representation <Cp> by the base aUb from 
the binary representation. 

Step S5-q: The remainder calculator 141 is 
utilized to calculate Cq = C mod q, and the first 



representation converter 127 is utilized to convert Cq 
to the RNS representation <Cq> by the base aUb from 
the binary representation. 

Step S6-p: The RNS Montgomery multiplier 123 is 
utilized to calculate <Cp'> = MM{<Cp>, <bp>, p, aUb). 
<Processing Content with Use of the aforementioned 
Algorithm> 

step-M-1: <s> a = <Cp> a * <bp> a is calculated. 

step-M-2: <s>k = <Cp>] 3 x <bp>k is calculated. 

step-M-3: <t>b = <s> b * <-p -1 > b is calculated. 

step-M-4: <t>] 3 is base-converted to <t> a . 

step-M-5: <u> a = <t> a x <p> a is calculated. 

step-M-6: <v> a = <s> a + <u> a is calculated. 

step-M-7: <Cp' > a = <v> a x <B _1 > a is calculated. 

step-M-8 : <Cp' > a is base-converted to <Cp'>]-,. 

Thereby, RNS representation <Cp' > corresponding to 
either Cp' = C x b mod p or Cp' = (C x b mod p) + p is 
obtained. 

Step S6-q: The RNS Montgomery multiplier 123 is 
utilized to calculate <Cq'> = MM(<Cq>, <bq>, q, aUb). 
Additionally, when the aforementioned algorithm is 
utilized, the processing content is constituted by 
replacing p with q in the processing content of the 
step S6-p. 

Thereby, RNS representation <Cq' > corresponding to 
either Cq' = C x B mod q or Cq' = (C x B mod q) + q is 
obtained. 
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Step S7-p: The RNS Montgomery exponentiation 
calculator 124 is utilized to calculate <mp' > = 
MEXP(<Cp'>, dp, p, aUb). 

<Processing Content with Use of the aforementioned 
5 Algorithm> 

step-E-1: i = k is set. <y> a Ub = <B> aUb is set - 
step-E-2: <y> a Ub = MM ( < Y > a U b' <Y>aUb' P/ aUb ) 
is calculated. 

If step-E-3: If d Pi = 1, <y> a Ub = MM(<y> a Ub' 

C3 10 <c P ,> aUb' P' aUb) is calculated. If dp-j_ ^ 1, nothing 

M is processed (nop) . 

fU 

'J Here, dpj_ is a value of a lower i-th bit in binary 



m 



representation (dp^, dp^-^, dp]_) of dp. 

step-E-4 : i = i-1 is set. 

step-E-5: If i = 0, the procedure ends. If i * 
0, the procedure returns to the step-E-2. 

Thereby, RNS representation <mp'> corresponding to 
mp' = Cp d P x B mod p or mp' = (Cp d P * B mod p) + p is 
obtained. 

Step S7-q: The RNS Montgomery exponentiation 
calculator 124 is utilized to calculate <mq' > = 
MEXP(<Cq'>, dq, q, aUb). Additionally, when the 
aforementioned algorithm is utilized, the processing 
content is constituted by replacing p with q in the 
processing content of the step S7-p. 

Thereby, RNS representation <mq' > corresponding 
to either mq' = Cq dc 3 x B mod q or 



mq' = (Cq dc 3 x B mod q) + q is obtained. 

Step S8-p: The RNS Montgomery multiplier 123 is 
utilized to calculate <tp> = MM(<mp'>, <q _1 mod p>, p, 
aUb) . 

<Processing Content with Use of the aforementioned 
Algorithm> 
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M- 
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<s> a = 


<mp' > a 


x <qinv> a is calculated 


step- 
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2: 


<s> b = 


<mp' > b 


x <qinv> b is calculated 


step- 


-M- 


3: 


<t>b = 


<S> b x 


<-p _ l> b is calculated. 


step- 


-M- 


4 : 


<t>]3 is base- 


converted to <t> a . 


step- 


-M- 


-5: 


<u> a = 


<t> a x 


<p> a is calculated. 


step- 


-M- 


-6: 


<v> a = 


<s> a + 


<u> a is calculated. 


step 


-M- 


-7 : 


<tp> a 


= <v> a 


x <B _1 > a is calculated. 


step 


-M- 


-8: 


<tp> a 


is base 


-converted to <tp> b . 



Thereby, the RNS representation <tp> corresponding 
to either tp = Cp d P * q -1 mod p or tp - (Cp d P x 
q _1 mod p) + p is obtained. 

Step S8-q: The RNS Montgomery multiplier 123 is 
utilized to calculate <tq> = MM(<mq'>, <p _1 mod q>, q, 
aUb) . Additionally, when the aforementioned algorithm 
is utilized, the processing content is constituted by 
replacing p with q in the processing content of the 
step S8-p. 

Thereby, the RNS representation <tq> corresponding 
to either tq = Cq dc 3 x p -l mod q or tq = (Cq dc 3 x 
p _1 mod q) + q is obtained. 

Step S9-p: The RNS multiplier 125 is utilized to 



calculate <up> = MUL(<tp>, <q>, aUb). 

Thereby, the RNS representation <up> corresponding 
to up = tp x q mod (A * B) is obtained. 

Step S9-q: The RNS multiplier 125 is utilized to 
5 calculate <uq> = MUL(<tq>, <p>, aUb). 

Thereby, the RNS representation <uq> corresponding 
to uq = tq x p mod (A * B) is obtained. 

Step S10: The RNS adder 126 is utilized to 
calculate <m r > = ADD(<up>, <uq>, aUb). 
10 Thereby, the RNS representation <m'> corresponding 

to m r = up + uq mod (A * B) is obtained. 

Step Sll: The second representation converter 128 
is utilized to convert <m' > to the binary representa- 
tion m' from the RNS representation (base aUb) . 
15 Here, m' is not less than N in some case. There- 

fore, when m' is not less than N, the adder/subtracter 
142 performs a processing for setting the value to be 
less than N. 

Step S12: m' is copied to m (stored). 
20 Step S13: m' = m' - N is calculated. 

Step S14: It is determined whether or not m' < 0. 
Unless m' < 0, the procedure returns to the step S12. 
If m' < 0, the procedure comes out of a loop and shifts 
to step S15. 

25 Step S15: m is outputted, and the procedure is 

ended. 

Additionally, instead of the steps S12 to S15, for 
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example, other procedure such as steps S21 to S24 of 
FIG. 4 may be used. 

Moreover, instead of inputting N from the outside, 
the adder/subtracter 142 may obtain N by p x q. 
5 In the procedure, in the steps S5-p, S6-p and 

steps S5-q, S6-q, Cp' = C x B mod p (+ p) and 
Cq' = C x B mod q (+ q) are calculated, and the 
processing corresponds to the aforementioned processing 
of the step-C-2 in the usual CRT exponentiation. 
10 The processing of the steps S7-p and S7-q 

corresponds to the processing of step-C-3 in the usual 
CRT exponentiation. 

The processing of the steps S8-p, S9-p, S8-q, 
S9-q, S10 corresponds to the processing of step-C-4 in 
15 the aforementioned usual CRT exponentiation. Here, the 

processing of the step-C-4 can be modified as follows, 
and this respect is utilized. 

m = mp x (q _1 mod p) x q + mq * (p -1 mod q) * p 
= {mp x (q _1 mod p) mod p} * q + {mq * (p _1 mod 
20 q) mod q} * p (mod N) 

If there is no addition error of p and q in the 
RNS Montgomery multiplication, m' as a result of the 
step Sll has a relation of m' < 2N in the CRT modular 
exponentiation calculation. Therefore, if the addition 
25 error is considered, m' < 4N results. Therefore, it is 

necessary to subtract 3N at maximum from m' , and a 
necessary correction is performed in the steps S12 to 
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S14. Since m' is converted to a binary number, it is 
easy to determine a positive/negative sign. This 
processing corresponds to the procedure for obtaining 
the remainder value in the modulus N in the processing 
5 of step-C-4 in the usual CRT exponentiation described 

in the product. 

Each calculation step of the CRT modular 
exponentiation calculation can be executed using an 
operation function which can be executed by the RNS 

10 operator 12. Particularly the RNS Montgomery 

exponentiation of the steps S7-p and S7-q occupies a 
large part of the calculation processing, and it is 
important to utilize a sum group aUb as a base in 
which bases a, b slightly larger than moduli p, q are 

15 used. 

The calculation amount of the RNS Montgomery 
multiplication can be evaluated by the calculation 
amount of the base conversion executed in the 
multiplication. This processing requires the 

20 multiplication of the word size by an order of a base 

size n, when one base element is considered. 
Furthermore, this processing is executed for all base 
elements in the base to be converted. Therefore, the 
calculation amount of the RNS Montgomery multiplication 

25 is of the order of square of the base size n. 

Moreover, the calculation amount of the RNS Montgomery 
exponentiation corresponds to that of a processing for 



repeating the RNS Montgomery multiplication by a bit 
size L_e of the exponent. Therefore, the calculation 
amount of the RNS Montgomery exponentiation is 
0(n 2 x L_e) . 

5 Concretely, for example, an RSA cryptography of 

1024 bits is assumed. In this case, each of secret key 
d, N and ciphertext C is of 1024 bits. Therefore, when 
this is executed in the Montgomery exponentiation in 
the RNS representation as in a conventional method, the 

10 base a' (and b' ) for use has the number of elements 33 

(= 1024/32 (word size) + 1) at minimum. On the other 
hand, each of values Cp, Cq obtained by reducing secret 
keys dp, dq, p, q, C utilized in the CRT exponentiation 
as described in the embodiment by the moduli p, q is of 

15 512 bits. Therefore, the base "a" (and "b") to be 

utilized has the number of elements 17 (= 512/32 (word 
size) + 1) at minimum. It is most efficient for the 
processing time to utilize the minimum base element 
number. On this assumption, the calculation amount of 

20 the modular exponentiation calculation by the CRT is 

compared with that of the modular exponentiation 
calculation which does not use the CRT. The 
calculation amount of the RNS Montgomery multiplication 
of a case in which the CRT is used is 1/4 of the 

25 calculation amount in a case in which the CRT is not 

used. The size of the exponent in the case in which 
the CRT is used is 1/2 of the calculation amount in the 
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case in which the CRT is not used. When the CRT is 
used, it is necessary to calculate the RNS Montgomery 
exponentiation twice. Therefore, as a whole, according 
to the CRT modular exponentiation calculation, RSA 
5 deciphering operation can be realized with a processing 

amount of about 1/4 as compared with the conventional 
RNS Montgomery exponentiation. Moreover, when the RNS 
Montgomery exponentiation is simultaneously executed in 
two circuits, the RSA deciphering operation can be 

10 realized at a processing amount of about 1/8 as 

compared with the conventional RNS Montgomery 
exponentiation. 

As described above, according to the present 
embodiment, when the operation utilizing the Chinese 

15 remainder theorem, operation utilizing a residue number 

system, and Montgomery operation are united, the 
modular exponentiation calculation can be more 
efficiently executed. 

Other embodiments will be described hereinafter. 

20 In the procedure of FIG. 2, the procedure of the 

steps Sl-p to S5-p may be performed in any order except 
that the step S2-p follows the step Sl-p (the remainder 
calculator 141 and representation converter 127 are set 
to be processable in parallel, and a whole or a part of 

25 the processing may be performed in parallel) . 

Moreover, in the procedure of FIG. 2, in the steps 
Si-p and Si-g corresponding to the steps Sl-p to S9-p 



and Sl-q to S9-q, similar operations relating to two 
prime factors p and q of N are executed. For the 
operation of Sl-p to S9-p, Sl-q to S9-q, p and q parts 
may be executed by turns. Alternatively, after all the 
5 p parts are executed, all q parts may be executed. In 

the latter case, since storing/retrieving an 
intermediate variable to/from a memory decreases, an 
efficiency may be enhanced. 

Furthermore, the p and q parts may also be 

10 processed in a pipeline manner. 

Additionally, when a whole or a part of the 
corresponding operation unit is set to be processable 
in parallel, the p and q parts can also be executed in 
parallel. The internal constitution example relating 

15 to each operation unit of the calculation apparatus 1 

in a case in which the p and q parts are separately 
described is shown in FIG. 5. 

Moreover, for example, all of the RNS Montgomery 
multiplier 123, RNS Montgomery exponentiation 

20 calculator 124, RNS multiplier 125, and RNS adder 126, 

only the RNS Montgomery multiplier 123 and RNS 
Montgomery exponentiation calculator 124, or only the 
RNS Montgomery exponentiation calculator 12 4 are set so 
that the processing of p parts and q parts can be 

25 performed in parallel. 

Of course, each operation unit can perform a 
parallel calculation derived from the RNS operation and 
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raise the speed. In this case, the operation with 
respect to all the elements of the base can be 
constituted to be executed simultaneously, and the 
operation with respect to some elements of the base 
5 (e.g., the number of elements corresponding to a factor 

of an integer indicating the base size) can be 
constituted to be executed at the same time. 

Moreover, in the aforementioned embodiment, an 
example in which pinv = p~l mod g, qinv = q~l mod p are 

10 inputted from the external device has been described, 

but these may be calculated from p, q. In this case, 
as shown in FIG. 6, as an auxiliary operation unit in 
the binary representation, in addition to the remainder 
calculator 141 and adder/subtracter 142, an inverse 

15 element calculator 143 may further be disposed. 

In the inverse element calculator 131, integer x 
of the binary representation and value y of the modulus 
are inputted to calculate x~l mod y. This calculation 
is often executed by an algorithm called the extended 

20 Euclidean algorithm. The calculation is described, for 

example, in "The art of computer programming", Addison 
Wesley Longman, Inc., pp. 342-345 authored by Donald E. 
Knuth. In general, the calculation amount corresponds 
to a calculation amount of about ten modular 

25 multiplication operations having a size of y. 

Furthermore, the example in which dp = d mod 
(p-1), dq = d mod (q-1) are inputted from the outside 
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has been described above in the constitution example, 
but may be calculated from p, q. The calculation can 
be performed by the remainder calculator 141. 

An internal constitution example relating to each 
5 operation unit of the calculation apparatus 1 in which 

pinv, qinv, dp, dq are calculated from p, q is shown in 
FIG. 7. 

Additionally, for the external input parameters 
(ciphertext C, dp = d mod (p-1) , dq - d mod (q-1) , 

10 N( = p x q) , p, q, pinv = p" 1 mod q, qinv = q -1 mod p) , 

the parameters other than the ciphertext C are 
parameters corresponding to the secret key of RSA. It 
is also possible to store all or some of the parameters 
in the calculation apparatus 1. In this case, the 

15 ciphertext C and key identification information 

necessary for selecting a key parameter group in the 
calculation apparatus 1 may be inputted. 

Moreover, the calculation shown in the steps Sl-p 
to S4-p and steps Sl-q to S4-q of FIG. 2 depends only 

20 on secret keys (p, q, pinv, qinv) of the RSA. However, 

the ciphertext C by the RSA differs with a session, but 
the RSA secret key is not changed very much (there can 
be a system in which the RSA secret key is unchanged) . 
Then, a result obtained by executing the steps 

25 Sl-p to S4-q is stored. As long as the same RSA secret 

key is used, the steps Sl-p to S4-q are skipped, and 
the result stored beforehand is utilized to perform the 
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processing of and after the step S5-p. When the RSA 
secret key is changed, the steps Sl-p to S4-q may be 
executed anew. 

Furthermore, when the RSA secret key is managed by 
5 the key identification information, the result may be 

associated with the key identification information and 
stored. 

Additionally, when the RSA secret key is single 
[J and unchanged, only C is inputted from the outside, and 

(1 10 the data (p, q, N, <p>, <q>, <~P -1 >b' <-q _1> b> <bp>, 

I* <bq>, <pinv>, <qinv>, <bp>, <bq>) depending only on the 

h 4 RSA secret key may be stored beforehand in the storage. 

In 

■ Moreover, when there are a plurality of RSA secret 

O 

il keys, only the C and key identification information are 

ry 15 inputted from the outside. The data (p, q, N , <p>, 

jy <q>, <-p _1 >b. <-q _1 >b^ <bp>/ <bq>, <pinv>, <qinv>, 

<bp>, <bq>) depending only on the RSA secret key is 
associated with the key identification information, and 
stored beforehand in the storage. The data corre- 
20 sponding to the key identification information inputted 

from the outside may be read from the storage and used. 

Furthermore, when two types of bases are used, 
with respect to the bases a = {a]_, a2, a n ]_} and b = 
{b]_, b2, b n 2K nl = n2 = n has been described, but 
25 it is also possible to set nl * n2 . 

Additionally, the above-described embodiments can 
be applied to a communication system using an RSA 



cryptography, such as shown in FIG. 8. It is more 
effective to apply the present invention to a 
decryption (ra = C d mod N) which needs more calculation 
amount than an encryption. But, the encryption 
(C = m e mod N) is represented by an equation similar to 
that of the decryption. Of course, the present 
invention can also be applied to the encryption (e.g., 
a case in which the apparatus having the secret key 
performs the encryption) . In this case, in the above 
description, the plaintext m is inputted instead of the 
ciphertext C, and the exponent e may be used instead of 
the exponent d. 

Hardware and software constitutions of the 
calculation apparatus will next be described. 

The present embodiment has been described assuming 
that the present calculation apparatus (deciphering 
apparatus or enciphering apparatus) is realized by 
hardware, but it is also possible to realize the 
apparatus as software. 

When the apparatus is constituted as hardware, the 
apparatus is formed, for example, as a semiconductor 
apparatus, and is mounted as an operation board or card 
in calculators such as a personal computer in one mode. 
When the calculator uses OS, a driver for the operation 
device may be incorporated in the OS and used in the 
other mode. Moreover, it is also possible to form the 
apparatus as the semiconductor apparatus, and to 
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dispose the apparatus in apparatuses such as AV 
equipment and household electric appliances. 

When the apparatus is realized by software, the 
apparatus can be implemented as program for allowing a 
computer to execute predetermined means (for allowing 
the computer to function as the predetermined means, or 
for allowing the computer to realize the predetermined 
function) . Alternatively, the apparatus can also be 
implemented as a computer readable recording medium in 
which the program is recorded. Needless to say, it is 
also possible to utilize various fast techniques such 
as a multi-processor and pipeline processing. 

According to the present invention, when the 
operation utilizing the Chinese remainder theorem, the 
operation utilizing the residue number system, and 
Montgomery operation are united, the modular 
exponentiation calculation can more efficiently be 
executed. 

While the description above refers to particular 
embodiments of the present invention, it will be 
understood that many modifications may be made without 
departing from the spirit thereof. The accompanying 
claims are intended to cover such modifications as 
would fall within the true scope and spirit of the 
present invention. The presently disclosed embodiments 
are therefore to be considered in all respects as 
illustrative and not restrictive, the scope of the 
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invention being indicated by the appended claims, 
rather than the foregoing description, and all changes 
that come within the meaning and range of eguivalency 
of the claims are therefore intended to be embraced 
therein. For example, other constitutions obtained by 
replacing a part of the illustrated constitution with 
another part, omitting a part of the illustrated 
constitution, adding another function or element to 
the illustrated constitution, or combining the 
constitutions are also possible. Moreover, another 
constitution logically eguivalent to the illustrated 
constitution, another constitution including a part 
logically equivalent to the illustrated constitution, 
another constitution logically equivalent to a main 
part of the illustrated constitution, and the like are 
also possible. Furthermore, another constitution which 
achieves the same or similar object as the object of 
the illustrated constitution, another constitution 
which produces the same or similar effect as that of 
the illustrated constitution, and the like are also 
possible . 

Additionally, it is possible to appropriately 
combine and implement various variations relating to 
various constituting parts described in the embodiment 
of the present invention. 

Moreover, the mode for carrying out the present 
invention contains /includes various viewpoints, stages, 
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concepts, and categories such as an invention as an 
individual apparatus, invention relating to two or more 
associated apparatuses, invention as a whole system, 
invention relating to constituting parts inside the 
individual apparatus, and invention of a corresponding 
method. 

Therefore, the present invention can be extracted 
from a content disclosed in the content described in 
the embodiment of the present invention without 
limiting the present invention to the illustrated 
constitution. 

The present invention is not limited to the 
aforementioned modes, and can variously be modified and 
implemented in the technical scope. 

Moreover, the present invention can also be 
implemented as a computer readable recording medium in 
which a program for allowing a computer to execute 
predetermined means, allowing the computer to function 
as predetermined means, or allowing the computer to 
realize a predetermined function is recorded. 



